Riding the hype cycle: an interview with Micro Focus CTO Lars Rossen
IT4IT innovator on tech timing and getting digital transformation right
Lars Rossen talks a lot about time - and timing. Back in 2008, when he worked for HP, it was obvious to those in the business that a confluence of technologies would soon make a reality of utility computing; indeed the movement now had a name: 'cloud'. However, they seriously underestimated how long it would take to move through the hype cycle.
"I distinctly recall a meeting I had with HP senior management where they were saying, ‘there is all this really exciting cloud transformation going on, we need to have a cloud automation product available so that we can help customers automate and control that transformation, and by the way, it's here and now, so you need to get it finished in one year."
So, for the next 12 months Rossen and his colleagues "laboured day and night" to deliver a hybrid cloud management solution, only to find there was no demand.
"Everyone was talking about it and no-one was actually doing it. If we had been a small company that gambled on cloud automation back in 2008/9 we could have gone bankrupt."
Back then, hybrid cloud was incredibly complex, but analyst predictions and press articles gave the impression that the new world was just around the corner. HP had the right idea (the product went on to become Micro Focus's Hybrid Cloud Management), but they were way too early.
In fact, Rossen contends, it's only very recently that cloud computing has really entered the 'plateau of productivity' on Gartner's famous hype cycle.
"It took probably five to seven years for it to move from hype to disillusion, and then another five to seven years before it became mainstream. And that happened within the last two years."
Who's really doing DevOps?
A similar stretched adoption curve can be observed with DevOps. While it might seem that everyone and his or her dog is merrily DevOps-ing away, few are really 'doing DevOps' as in merging Dev and Ops, let alone bringing in security.
"Everybody's says they're doing DevOps, but when I go in and talk to them it's still developers saying, 'We can figure out how to do the deployment', and that's about it. It's not truly a single team that does it. Yes, Google is doing it, but the rest are still trailing."
Meanwhile, in most organisations security remains siloed and apart, he added.
"The DevSecOps agenda today is very much driven by the security groups. The true love and embrace of the DevOps people with security is still to happen."
Value streams
And a third example is digital value streams, which are the basis of the IT4IT framework, the original specification for which was written by Rossen almost a decade ago.
Value streams borrow from manufacturing, where each step in a production line process adds value to a product. Indeed, Rossen came up with the concept of the 'digital factory', a way of helping CIOs obtain a coherent view of all the processes, products and data involved in a business and how they intact, so they can be rationalised, optimised and automated, as with a factory production line.
The idea resulted from seeing how consultancies tended to create individual strategies for each customer or sectors, whereas in fact a prescriptive framework for digital transformation can be broadly applicable.
IT4IT
IT4IT is a reference architecture that uses a value stream approach to model IT activities in order to help CIOs identify those that mesh with the organisation's goals. It breaks down activities into four stages: plan, build, deliver and run.
IT4IT is compatible with other frameworks such as ITIL and SAFe. It helps IT leaders manage activities such as moving to the cloud, deploying DevOps and digital transformation. With a focus on information needed to manage IT and the flow of data between IT management systems, IT4IT is process-agnostic and useful for businesses of all sizes and industries.
It is managed by the Open Group.
At the time, most organisations of any size were far from operating like a digital factory and were more like "villages with their own shops", said Rossen, who was convinced that viewing them as digital value streams would help CIOs get a handle on their processes.
"So I talked to Gartner about this concept of value streams for IT, and they said 'that's that's not interesting, nobody's talking about that'," Rossen said.
But they are interested now, in part, says Rossen, because Micro Focus, where he's worked since 2017, the last 18 months as CTO, has been publicly eating its own dog food.
"We started using it in transforming our own business and our own portfolio and lo and behold, three or four years ago SAFe started to introduce value streams as an important concept, ITIL 4 has value streams as part of it, and now Gartner has some pretty good stuff around what value stream management really means, and they are preaching it."
Toolchain consolidation
Rossen says the value stream model has important implications for DevOps tools. Innovation is only a net positive where it adds value, so it makes sense to standardise on things like Git repositories, backlog managers and pipelines where the main bulk of innovation has already happened, and particularly to consolidate security tools.
"You will be more efficient by directing everybody to use the same Git repository within your organisation, so you don't have five different ones. Because that makes sharing better but also makes DevSecOps possible," he said. "If you don't have a common repository for source code, it's very difficult to create an efficient manner of doing code scanning."
Typically, developers glue their own toolchains together from their favourite components, he went on, but this creates security holes.
"If I'm a supply chain hacker, it's wonderland for me, because there are so many potential security holes in these 10 different ways of implementing the tool chain."
All of which means that consolidation of the DevOps toolchain is inevitable and desirable - with the important proviso that its components remain open and composable, so CIOs don't find themselves locked in by their initial decisions.
Rossen claims that Micro Focus is one of the few organisations to have properly implemented DevSecOps, first by standardising on GitHub and its own backlog manager, allowing developers to become aware of their own coding blunders; and then adding in the security elements in a controlled manner. But it wasn't easy.
"We've integrated [security] in the tool chain now, but it's been four years of iterative change of the mentality, onboarding the four or five thousand developers into that method. But the end result has actually been pretty fantastic. The acceleration we've been able to do because of this is pretty cool."
Given Micro Focus's history of acquisitions, a modular approach comes naturally, he added. It has also helped the company manage the constant swirl of tech trends: "I think one of our strengths is that we have the stamina because of our size and our history to actually ride the hype curve."
Cloud choices
Consolidation has already happened in cloud infrastructure, of course, with three major players in the west, plus China's Alibaba. Has it gone too far? Rossen doesn't think so, pointing to the fact that fairly recently AWS was thought to be taking over the world, whereas now Microsoft is catching up.
He pointed out that 100 years ago there was a huge number of car companies whereas now there are just a handful of global players, and that car rental companies don't just offer, say, Ford cars.
"I see something similar with IaaS. Compute is a commodity, and that's the key point. You don't really need to have 100 different providers of a commodity. You want to have healthy competition, but you can have that across say 5 or 10 companies, that's fine."
However, he went on, like the car rental companies, it makes sense for companies to choose software that can be moved to other platforms if necessary, or at least to understand the balance of risks and benefits of going all in on one.
"If it gives you a competitive edge, use DynamoDB, right? It scales and does the wonderful stuff that needs to do. But you need, as an organisation, to be in control of the decision, so it's not just a random developer saying, ‘I'm going to use this'.
"Now if I'm going to consume something that gives a lock-in to Amazon, I can put a price tag on what it will cost me to get out of it again, so I can make a conscious decision about the lock-in.
"The big picture thing is to understand how you live in a very complicated ecosystem. Your supply chain is very complicated in digital, and you need to get in control of it. It really is important for enterprises to think about that."